What is Email Phishing?
A Guide To Preventing Email Phishing Scams
Phishing – is the practice of sending fraudulent communications that appear to come from a reputable source. A few years ago, “one of the largest health insurers, Anthem reported a data breach that affected the personal information of up to 80 million customers. An investigation surmised that a phishing campaign may have given the attackers the credentials of five different Anthem employees. An Anthem computer system administrator realized that an unauthorized individual was using his security credentials to log into the system to steal customer data.
But the phishing didn’t stop there — less than a week after the data breach was reported to customers and the media, reports of phishing messages that appeared to be from Anthem were sent to current and former customers. The emails offered credit monitoring to users, urging them to click on a link and submit personal information.” Source
Phishing emails are designed to trick you & take advantage of your good intentions and business. Usually, they are composed to look like real correspondence from well-known companies or people you know, like Apple or Google. They all have the same goal: to steal information. Email addresses, login info, phone numbers, financial data, medical records, you name it. Attackers are phishing for all this and more. However, they can accomplish this in a few different ways.
Different Kinds of Phishing
There are three main ways that attackers steal information. They either get you to click a malicious link, open an attachment that contains malware, or to enter in your account information on a fraudulent webpage. The website and email could all look completely legitimate, but it’s just a front. E-mails can also be sort of phishing emails. Attackers will makeup and shipping notification, or a password reset email, to get the receiver to click and download malware on to their device.
Let’s talk about how you can keep yourself and your business safe.
What Can You Do If You’re In The IT Department?
Make sure that your company’s computers are always up to date with updates and patches. Attackers thrive on vulnerabilities and weaknesses in systems that haven’t been patched. Keep a log of each device and make sure you check up on it to make sure it’s updated monthly. Also, make sure that every employee has two-factor authentication when possible. Keeping internal phone numbers private when possible is important because phone numbers are often used in two-factor authentication. You might want to set up a secret internal phone that is used primarily for two-factor authentication so even if you become compromised you can always recover your accounts with a backup method. Another thing you can do is not allow password sharing. If there’s an account that needs to be accessed by multiple employees, have them set up additional linked accounts (or roles, depending on the system). This will mitigate some of the risks associated with having one password and user being shared by multiple employees and reduce the chance of it being accidentally leaked or shared with an attacker.
With all that being said, the most secure way to set up two-factor authentication is with WebAuthn.
“All that’s needed to enable Webauthn is a supported web browser, operating system and a strong, built-in biometric authenticator like TouchID to enable a secure, phishproof two-factor authentication method. For legacy endpoints that don’t contain a built-in biometric sensor, USB-based security keys can bridge the gap.”
Biometric authentication is the now, and it is (currently) phish-proof because (currently) attackers can’t easily or cost-effectively steal your fingerprints. If you’re considering setting up the ultimate protection, this is the way to go.
What Can You Do If You’re An Employee or Manager?
Start by checking the “from” e-mail address. By checking that, it can show you the validity of the e-mail address and if it looks off or not from who you expected. Sometimes, it may say “Microsoft” in your inbox but when you look at the actual address, it will look completely unofficial. Remember, major companies will not message you asking for your account information. If you get an email saying your password has been compromised, access your account directly through a browser instead of clicking on the links given. Always remember to check the email address before responding, clicking links or opening files. Doing this, you may find out it was from an untrustworthy source.
Do not open unexpected files. Attached email files may include harmful malware that can cause major issues on your computer or network. Part of this is having a good firewall. Sometimes you don’t even have to click on the file for it to download, so your virus protection and firewall should be up to date.
Do not click any links, full stop. All links should be checked before clicking. Hovering over the link will show you a web address and you will be able to see where the link takes you. In malicious emails, you will find that most links are disguised as trustworthy websites, and the URL has nothing to do with the official website’s address. Make sure you’re familiar with the URLs of the websites and accounts that you frequent so you can quickly check to make sure everything is on the up and up.
Try scanning the attachment first before opening or saving the file to your computer. If you have an anti-virus installed it should do this automatically, but make sure that you have your settings optimized so that it scans all emails for you.
Look through the full e-mail taking everything in and going over all the aspects, checking for grammar mistakes or weird images. Often, scams will have obvious problems in logic, word usage, and spelling. This doesn’t mean that every email with a misspelled word is from an attacker, even major companies mess up from time to time, however, it’s very uncommon and should be taken as a red-flag immediately. Low-res images, weird font choices, old logos, wonky branding, these are all signs that the email may be illegitimate. Another thing to look out for is whether or not you’re expecting the email. If you aren’t expecting the e-mail, get confirmation from the sender.
Turn off your read receipts. By having your read receipts on, you are validating that your email address is active and can lead to more threats that are targeted at your email. Turning this off helps mitigate email threats and phishing scams. This can allow you to fly under the radar of many phishing operations who might be targeting your company for a specialized spear attack. Spear attacks are when attackers use public information and social media profiles to hand-craft a scam that is more effective than your average attack.
Get rid of unnecessary software. Doing a factory reset on your computers may be beneficial to remove anything that could be exploitable from a malicious third-party. Old programs have vulnerabilities that become more well-known in the hacking community over time, and if the company is now defunct or they don’t update that product anymore it’s time to find a replacement.
Implementing even a few of these tips will significantly increase your company’s overall security and lower the chance that you’ll be a victim in a phishing scam. A comprehensive security plan will require a lot of work and dedication, but it could potentially save you millions of dollars. The FBI reported that 3 Billion dollars are lost every year to email scams, and that number is only going up. Keep your company, employees, and most importantly your customers safe with the steps outlined in this article, and you’ll be well on your way to creating a secure system.
Creative Network Innovations offers an array of modern IT solutions & services that align with your business strategy. From Managed IT Services, Data Security and Disaster Recovery Plans to Voice Over IP phone systems and fully managed Private Cloud hosting, our technology specialists are eager to help improve your IT strategy. Ready To Get Started? Contact Us.